https://miscreants.github.io/blog.trailofbits.com/2023/Recent content in 2023 on The Trail of Bits BlogHugoen-usFri, 29 Dec 2023 09:00:51 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/29/billion-times-emptiness/Fri, 29 Dec 2023 09:00:51 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/29/billion-times-emptiness/Behind Ethereum’s powerful blockchain technology lies a lesser-known challenge that blockchain developers face: the intricacies of writing robust Ethereum ABI (Application Binary Interface) parsers. Ethereum’s ABI is critical to the blockchain’s infrastructure, enabling seamless interactions between smart contracts and external applications. The complexity of data types and the need for precise encoding […]https://miscreants.github.io/blog.trailofbits.com/2023/12/27/ai-in-windows-investigating-windows-copilot/Wed, 27 Dec 2023 09:00:22 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/27/ai-in-windows-investigating-windows-copilot/AI is becoming ubiquitous, as developers of widely used tools like GitHub and Photoshop are quickly implementing and iterating on AI-enabled features. With Microsoft’s recent integration of Copilot into Windows, AI is even on the old stalwart of computing—the desktop. The integration of an AI assistant into an entire operating system is a significant development that warrants investigation.https://miscreants.github.io/blog.trailofbits.com/2023/12/26/weve-added-more-content-to-zkdocs/Tue, 26 Dec 2023 09:00:59 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/26/weve-added-more-content-to-zkdocs/We’ve updated ZKDocs with four new sections and additions to existing content. ZKDocs provides explanations, guidance, and documentation for cryptographic protocols that are otherwise sparingly discussed but are used in practice. As such, we’ve added four new sections detailing common protocols that previously lacked implementation guidance: The Inner Product Argument (IPA), which […]https://miscreants.github.io/blog.trailofbits.com/2023/12/22/catching-openssl-misuse-using-codeql/Fri, 22 Dec 2023 09:00:35 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/22/catching-openssl-misuse-using-codeql/I’ve created five CodeQL queries that catch potentially potent bugs in the OpenSSL libcrypto API, a widely adopted but often unforgiving API that can be misused to cause memory leaks, authentication bypasses, and other subtle cryptographic issues in implementations. These queries—which I developed during my internship with my mentors, Fredrik Dahlgren and […]https://miscreants.github.io/blog.trailofbits.com/2023/12/20/summer-associates-2023-recap/Wed, 20 Dec 2023 09:00:13 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/20/summer-associates-2023-recap/This past summer at Trail of Bits was a season of inspiration, innovation, and growth thanks to the incredible contributions of our talented interns, who took on a diverse range of technical projects under the mentorship of Trail of Bits engineers. We’d like to delve into their accomplishments, from enhancing the efficiency of fuzzing tools […]https://miscreants.github.io/blog.trailofbits.com/2023/12/18/a-trail-of-flipping-bits/Mon, 18 Dec 2023 08:30:16 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/18/a-trail-of-flipping-bits/Trusted execution environments (TEE) such as secure enclaves are becoming more popular to secure assets in the cloud. Their promise is enticing because when enclaves are properly used, even the operator of the enclave or the cloud service should not be able to access those assets. However, this leads to […]https://miscreants.github.io/blog.trailofbits.com/2023/12/14/darpas-ai-cyber-challenge-were-in/Thu, 14 Dec 2023 09:00:45 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/14/darpas-ai-cyber-challenge-were-in/We’re thrilled to announce that Trail of Bits will be competing in DARPA’s upcoming AI Cyber Challenge (AIxCC)! DARPA is challenging competitors to develop novel, fully automated AI-driven systems capable of securing the critical software that underpins the modern world. We’ve formed a team of world class software security and AI/ML experts, bringing together researchers, […]https://miscreants.github.io/blog.trailofbits.com/2023/12/11/say-hello-to-the-next-chapter-of-the-testing-handbook/Mon, 11 Dec 2023 08:30:16 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/11/say-hello-to-the-next-chapter-of-the-testing-handbook/Today we are announcing the latest addition to the Trail of Bits Testing Handbook: a brand new chapter on CodeQL! CodeQL is a powerful and versatile static analysis tool, and at Trail of Bits, we regularly use CodeQL on client engagements to find common vulnerabilities and to perform variant analysis for already […]https://miscreants.github.io/blog.trailofbits.com/2023/12/06/publishing-trail-of-bits-codeql-queries/Wed, 06 Dec 2023 08:30:25 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/06/publishing-trail-of-bits-codeql-queries/We are publishing a set of custom CodeQL queries for Go and C. We have used them to find critical issues that the standard CodeQL queries would have missed. This new release of a continuously updated repository of CodeQL queries joins our public Semgrep rules and Automated Testing Handbook in an effort […]https://miscreants.github.io/blog.trailofbits.com/2023/11/22/etw-internals-for-security-research-and-forensics/Wed, 22 Nov 2023 07:00:12 -0500https://miscreants.github.io/blog.trailofbits.com/2023/11/22/etw-internals-for-security-research-and-forensics/Why has Event Tracing for Windows (ETW) become so pivotal for endpoint detection and response (EDR) solutions in Windows 10 and 11? The answer lies in the value of the intelligence it provides to security tools through secure ETW channels, which are now also a target for offensive researchers looking to bypass […]https://miscreants.github.io/blog.trailofbits.com/2023/11/20/how-cisa-can-improve-oss-security/Mon, 20 Nov 2023 09:35:59 -0500https://miscreants.github.io/blog.trailofbits.com/2023/11/20/how-cisa-can-improve-oss-security/The US government recently issued a request for information (RFI) about open-source software (OSS) security. In this blog post, we will present a summary of our response and proposed solutions. Some of our solutions include rewriting widely used legacy code in memory safe languages such as Rust, funding OSS solutions to improve […]https://miscreants.github.io/blog.trailofbits.com/2023/11/15/assessing-the-security-posture-of-a-widely-used-vision-model-yolov7/Wed, 15 Nov 2023 10:15:05 -0500https://miscreants.github.io/blog.trailofbits.com/2023/11/15/assessing-the-security-posture-of-a-widely-used-vision-model-yolov7/TL;DR: We identified 11 security vulnerabilities in YOLOv7, a popular computer vision framework, that could enable attacks including remote code execution (RCE), denial of service, and model differentials (where an attacker can trigger a model to perform differently in different contexts). Open-source software […]https://miscreants.github.io/blog.trailofbits.com/2023/11/14/our-audit-of-pypi/Tue, 14 Nov 2023 08:00:37 -0500https://miscreants.github.io/blog.trailofbits.com/2023/11/14/our-audit-of-pypi/This is a joint post with the PyPI maintainers; read their announcement here! This audit was sponsored by the Open Tech Fund as part of their larger mission to secure critical pieces of internet infrastructure. You can read the full report in our Publications repository. Late this summer, we performed an audit […]https://miscreants.github.io/blog.trailofbits.com/2023/11/06/adding-build-provenance-to-homebrew/Mon, 06 Nov 2023 08:00:37 -0500https://miscreants.github.io/blog.trailofbits.com/2023/11/06/adding-build-provenance-to-homebrew/This is a joint post with Alpha-Omega—read their announcement post as well! We’re starting a new project in collaboration with Alpha-Omega and OpenSSF to improve the transparency and security of Homebrew. This six-month project will bring cryptographically verifiable build provenance to homebrew-core, allowing end users and companies to prove that Homebrew’s packages come from the official Homebrew CI/CD.https://miscreants.github.io/blog.trailofbits.com/2023/10/30/the-issue-with-ats-in-apples-macos-and-ios/Mon, 30 Oct 2023 08:00:57 -0400https://miscreants.github.io/blog.trailofbits.com/2023/10/30/the-issue-with-ats-in-apples-macos-and-ios/Trail of Bits is publicly disclosing a vulnerability (CVE-2023-38596) that affects iOS, iPadOS, and tvOS before version 17, macOS before version 14, and watchOS before version 10. The flaw resides in Apple’s App Transport Security (ATS) protocol handling. We discovered that Apple’s ATS fails to require the encryption of connections to IP […]https://miscreants.github.io/blog.trailofbits.com/2023/10/23/numbers-turned-weapons-dos-in-osmosis-math-library/Mon, 23 Oct 2023 14:27:31 -0400https://miscreants.github.io/blog.trailofbits.com/2023/10/23/numbers-turned-weapons-dos-in-osmosis-math-library/Trail of Bits is publicly disclosing a vulnerability in the Osmosis chain that allows an attacker to craft a transaction that takes up a disproportionate amount of compute time on Osmosis nodes compared to the amount of gas it consumes. Using the vulnerability, an attacker can halt the Osmosis chain by spamming […]https://miscreants.github.io/blog.trailofbits.com/2023/10/05/introducing-invariant-development-as-a-service/Thu, 05 Oct 2023 08:00:52 -0400https://miscreants.github.io/blog.trailofbits.com/2023/10/05/introducing-invariant-development-as-a-service/Understanding and rigorously testing system invariants are essential aspects of developing robust smart contracts. Invariants are facts about the protocol that should remain true no matter what happens. Defining and testing these invariants allows developers to prevent the introduction of bugs and make their code more robust in the long term. However, it is difficult […]https://miscreants.github.io/blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/Mon, 25 Sep 2023 07:00:47 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility. There is, however, a dark (but open) secret: eBPF was never intended […]https://miscreants.github.io/blog.trailofbits.com/2023/09/20/dont-overextend-your-oblivious-transfer/Wed, 20 Sep 2023 08:00:53 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/20/dont-overextend-your-oblivious-transfer/We found a vulnerability in a threshold signature scheme that allows an attacker to recover the signing key of threshold ECDSA implementations that are based on Oblivious Transfer (OT). A malicious participant of the threshold signing protocols could perform selective abort attacks during the OT extension subprotocol, recover the secret […]https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/Mon, 18 Sep 2023 08:00:42 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/We identified 10 security vulnerabilities within the caddy-security plugin for the Caddy web server that could enable a variety of high-severity attacks in web applications, including client-side code execution, OAuth replay attacks, and unauthorized access to resources. During our evaluation, Caddy was deployed as a reverse proxy […]https://miscreants.github.io/blog.trailofbits.com/2023/09/11/holy-macroni-a-recipe-for-progressive-language-enhancement/Mon, 11 Sep 2023 08:00:12 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/11/holy-macroni-a-recipe-for-progressive-language-enhancement/Despite its use for refactoring and static analysis tooling, Clang has a massive shortcoming: the Clang AST does not provide provenance information about which CPP macro expansions a given AST node is expanded from; nor does it lower macro expansions down to LLVM Intermediate Representation (IR) code. This makes the construction of […]https://miscreants.github.io/blog.trailofbits.com/2023/08/29/secure-your-apollo-graphql-server-with-semgrep/Tue, 29 Aug 2023 08:00:14 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/29/secure-your-apollo-graphql-server-with-semgrep/tl;dr: Our publicly available Semgrep ruleset has nine new rules to detect misconfigurations of versions 3 and 4 of the Apollo GraphQL server. Try them out with semgrep –config p/trailofbits! When auditing several of our clients’ Apollo GraphQL servers, I kept finding the same issues over and over: cross-site request forgery (CSRF) […]https://miscreants.github.io/blog.trailofbits.com/2023/08/28/iverify-is-now-an-independent-company/Mon, 28 Aug 2023 07:00:45 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/28/iverify-is-now-an-independent-company/We’re proud to announce that iVerify is now an independent company following its four-year incubation at Trail of Bits. Originally developed in-house to ensure that our personal phones, which store data essential to our work and private lives, were secured to the standards of security professionals, iVerify quickly showed that it could be valuable to […]https://miscreants.github.io/blog.trailofbits.com/2023/08/23/the-engineers-guide-to-blockchain-finality/Wed, 23 Aug 2023 07:00:53 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/23/the-engineers-guide-to-blockchain-finality/Many security-critical off-chain applications use a simple block delay to determine finality: the point at which a transaction becomes immutable in a blockchain’s ledger (and is impossible to “undo” without extreme economic cost). But this is inadequate for most networks, and can become a single point of failure for the centralized exchanges, […]https://miscreants.github.io/blog.trailofbits.com/2023/08/14/can-you-pass-the-rekt-test/Mon, 14 Aug 2023 04:00:50 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/14/can-you-pass-the-rekt-test/One of the biggest challenges for blockchain developers is objectively assessing their security posture and measuring how it progresses. To address this issue, a working group of Web3 security experts, led by Trail of Bits CEO Dan Guido, met earlier this year to create a simple test for profiling the security of blockchain teams. We […]https://miscreants.github.io/blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/Wed, 09 Aug 2023 06:45:15 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/Trail of Bits has developed a suite of open-source libraries designed to streamline the creation and deployment of eBPF applications. These libraries facilitate efficient process and network event monitoring, function tracing, kernel debug symbol parsing, and eBPF code generation. Previously, deploying portable, dependency-free eBPF applications posed significant challenges due to Linux kernel […]https://miscreants.github.io/blog.trailofbits.com/2023/08/02/a-mistake-in-the-bulletproofs-paper-could-have-led-to-the-theft-of-millions-of-dollars/Wed, 02 Aug 2023 07:00:30 -0400https://miscreants.github.io/blog.trailofbits.com/2023/08/02/a-mistake-in-the-bulletproofs-paper-could-have-led-to-the-theft-of-millions-of-dollars/We discovered a critical vulnerability in Incognito Chain that would allow an attacker to mint arbitrary tokens and drain user funds. Incognito offers confidential transactions through zero-knowledge proofs, so an attacker could have stolen millions of dollars of shielded funds without ever being detected or identified. The vulnerability stemmed from an insecure […]https://miscreants.github.io/blog.trailofbits.com/2023/07/31/how-ai-will-affect-cybersecurity-what-we-told-the-cftc/Mon, 31 Jul 2023 07:00:32 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/31/how-ai-will-affect-cybersecurity-what-we-told-the-cftc/Dan Guido, CEO The second meeting of the Commodity Futures Trading Commission’s Technology Advisory Committee (TAC) on July 18 focused on the effects of AI on the financial sector. During the meeting, I explained that AI has the potential to fundamentally change the balance between cyber offense and defense, and that we need security-focused benchmarks […]https://miscreants.github.io/blog.trailofbits.com/2023/07/28/the-future-of-clang-based-tooling/Fri, 28 Jul 2023 07:00:19 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/28/the-future-of-clang-based-tooling/Clang is a marvelous compiler; it’s a compiler’s compiler! But it isn’t a toolsmith’s compiler. As a toolsmith, my ideal compiler would be an open book, allowing me to get to everywhere from anywhere. The data on which my ideal compiler would operate (files, macros, tokens), their eventual interpretation (declarations, statements, types), […]https://miscreants.github.io/blog.trailofbits.com/2023/07/26/announcing-the-trail-of-bits-testing-handbook/Wed, 26 Jul 2023 07:00:28 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/26/announcing-the-trail-of-bits-testing-handbook/Trail of Bits is thrilled to announce the Testing Handbook, the shortest path for developers and security professionals to derive maximum value from the static and dynamic analysis tools we use at Trail of Bits. Why did we create the Testing Handbook? At Trail of Bits, we have spent countless hours studying, […]https://miscreants.github.io/blog.trailofbits.com/2023/07/21/fuzzing-on-chain-contracts-with-echidna/Fri, 21 Jul 2023 07:00:31 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/21/fuzzing-on-chain-contracts-with-echidna/With the release of version 2.1.0 of Echidna, our fuzzing tool for Ethereum smart contracts, we’ve introduced new features for direct retrieval of on-chain data, such as contract code and storage slot values. This data can be used to fuzz deployed contracts in their on-chain state or to test […]https://miscreants.github.io/blog.trailofbits.com/2023/07/18/trail-of-bitss-response-to-ostp-national-priorities-for-ai-rfi/Tue, 18 Jul 2023 13:46:44 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/18/trail-of-bitss-response-to-ostp-national-priorities-for-ai-rfi/The Office of Science and Technology Policy (OSTP) has circulated a request for information (RFI) on how best to develop policies that support the responsible development of AI while minimizing risk to rights, safety, and national security. In our response, we highlight the following points: To ensure that AI […]https://miscreants.github.io/blog.trailofbits.com/2023/07/14/evaluating-blockchain-security-maturity/Fri, 14 Jul 2023 03:00:03 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/14/evaluating-blockchain-security-maturity/Holistic security reviews should reveal far more than simple bugs. Often, these bugs indicate deeper issues that can be challenging to understand and address. Given the time-boxed nature of reviews, security engineers may not have the opportunity to identify all bugs caused by these problems—and they may continue to […]https://miscreants.github.io/blog.trailofbits.com/2023/07/12/what-we-told-the-cftc-about-crypto-threats/Wed, 12 Jul 2023 07:00:13 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/12/what-we-told-the-cftc-about-crypto-threats/In March, I joined the Commodity Futures Trading Commission’s Technology Advisory Committee (TAC), helping the regulatory agency navigate the complexities of cybersecurity risks, particularly in emerging technologies like AI and blockchain. During the committee’s first meeting, I discussed how the rapidly changing and public nature of blockchain technology makes it uniquely susceptible […]https://miscreants.github.io/blog.trailofbits.com/2023/07/07/differential-fuzz-testing-upgradeable-smart-contracts-with-diffusc/Fri, 07 Jul 2023 07:00:33 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/07/differential-fuzz-testing-upgradeable-smart-contracts-with-diffusc/On March 28, 2023, SafeMoon, a self-styled “community-focused DeFi token” on Binance Smart Chain, lost the equivalent of $8.9 million in Binance Coin BNB to an exploit in a liquidity pool. The exploit leveraged a simple error introduced in an upgrade to SafeMoon’s SFM token contract, allowing the attacker to burn tokens held in the […]https://miscreants.github.io/blog.trailofbits.com/2023/06/16/trail-of-bitss-response-to-ntia-ai-accountability-rfc/Fri, 16 Jun 2023 08:00:10 -0400https://miscreants.github.io/blog.trailofbits.com/2023/06/16/trail-of-bitss-response-to-ntia-ai-accountability-rfc/The National Telecommunications and Information Administration (NTIA) has circulated an Artificial Intelligence (AI) Accountability Policy Request for Comment on what policies can support the development of AI audits, assessments, certifications, and other mechanisms to create earned trust in AI systems. Trail of Bits has submitted a response to the […]https://miscreants.github.io/blog.trailofbits.com/2023/06/15/finding-bugs-with-mlir-and-vast/Thu, 15 Jun 2023 07:00:10 -0400https://miscreants.github.io/blog.trailofbits.com/2023/06/15/finding-bugs-with-mlir-and-vast/Intermediate languages (IRs) are what reverse engineers and vulnerability researchers use to see the forest for the trees. IRs are used to view programs at different abstraction layers, so that analysis can understand both low-level code aberrations and higher levels of flawed logic mistakes. The setback is that bug-finding tools are often pigeonholed into choosing […]https://miscreants.github.io/blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/Tue, 23 May 2023 07:00:20 -0400https://miscreants.github.io/blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index to add a new, more secure authentication method called “trusted publishing.” Trusted publishing eliminates the need for long-lived API tokens and passwords, reducing the risk of supply chain attacks and credential leaks while also […]https://miscreants.github.io/blog.trailofbits.com/2023/05/16/real-world-crypto-2023-recap/Tue, 16 May 2023 09:54:43 -0400https://miscreants.github.io/blog.trailofbits.com/2023/05/16/real-world-crypto-2023-recap/Last month, hundreds of cryptographers descended upon Tokyo for the first Real World Crypto Conference in Asia. As in previous years, we dispatched a handful of our researchers and engineers to present and attend the conference. What sets RWC apart from other conferences is that it strongly emphasizes research, collaborations, and advancements in cryptography that […]https://miscreants.github.io/blog.trailofbits.com/2023/05/15/introducing-windows-notification-facilitys-wnf-code-integrity/Mon, 15 May 2023 07:00:45 -0400https://miscreants.github.io/blog.trailofbits.com/2023/05/15/introducing-windows-notification-facilitys-wnf-code-integrity/WNF (Windows Notification Facility) is an undocumented notification mechanism that allows communication inside processes, between processes, or between user mode processes and kernel drivers. Similar to other notification mechanisms like ETW (Event Tracing for Windows) and ALPC (Advanced Local Procedure Call), WNF communication happens over different “channels,” each representing […]https://miscreants.github.io/blog.trailofbits.com/2023/04/25/loose-code-sinks-nodes/Tue, 25 Apr 2023 07:00:57 -0400https://miscreants.github.io/blog.trailofbits.com/2023/04/25/loose-code-sinks-nodes/Last September, Principal Security Engineer Dr. Evan Sultanik was on a panel hosted by the Naval Postgraduate School’s Distributed Consensus: Blockchain & Beyond (DC:BB) movement, where faculty and students there are seeking opportunities to learn and share knowledge, research, funding, and events focused on distributed consensus technologies. The panel of nine government, academia, and industry […]https://miscreants.github.io/blog.trailofbits.com/2023/04/20/typos-that-omit-security-features-and-how-to-test-for-them/Thu, 20 Apr 2023 07:00:08 -0400https://miscreants.github.io/blog.trailofbits.com/2023/04/20/typos-that-omit-security-features-and-how-to-test-for-them/During a security audit, I discovered an easy-to-miss typo that unintentionally failed to enable _FORTIFY_SOURCE, which helps detect memory corruption bugs in incorrectly used C functions. We searched, found, and fixed twenty C and C++ bugs on GitHub with this same pattern. Here is a list of some of them related […]https://miscreants.github.io/blog.trailofbits.com/2023/04/18/a-winters-tale-improving-types-and-messages-in-gdbs-python-api/Tue, 18 Apr 2023 07:00:43 -0400https://miscreants.github.io/blog.trailofbits.com/2023/04/18/a-winters-tale-improving-types-and-messages-in-gdbs-python-api/As a winter associate at Trail of Bits, my goal was to make two improvements to the GNU Project Debugger (GDB): make it run faster and improve its Python API to support and improve tools that rely on it, like Pwndbg. The main goal was to run […]https://miscreants.github.io/blog.trailofbits.com/2023/03/30/acropalypse-polytracker-blind-spots/Thu, 30 Mar 2023 08:00:22 -0400https://miscreants.github.io/blog.trailofbits.com/2023/03/30/acropalypse-polytracker-blind-spots/The aCropalypse is upon us! Last week, news about CVE-2023-21036, nicknamed the “aCropalypse,” spread across Twitter and other media, and I quickly realized that the underlying flaw could be detected by our tool, PolyTracker. I’ll explain how PolyTracker can detect files affected by the vulnerability even without specific file format knowledge.https://miscreants.github.io/blog.trailofbits.com/2023/03/22/codex-and-gpt4-cant-beat-humans-on-smart-contract-audits/Wed, 22 Mar 2023 07:00:49 -0400https://miscreants.github.io/blog.trailofbits.com/2023/03/22/codex-and-gpt4-cant-beat-humans-on-smart-contract-audits/Is artificial intelligence (AI) capable of powering software security audits? Over the last four months, we piloted a project called Toucan to find out. Toucan was intended to integrate OpenAI’s Codex into our Solidity auditing workflow. This experiment went far […]https://miscreants.github.io/blog.trailofbits.com/2023/03/21/circomspect-static-analyzer-circom-more-passes/Tue, 21 Mar 2023 08:00:24 -0400https://miscreants.github.io/blog.trailofbits.com/2023/03/21/circomspect-static-analyzer-circom-more-passes/TL;DR: We have released version 0.8.0 of Circomspect, our static analyzer and linter for Circom. Since our initial release of Circomspect in September 2022, we have added five new analysis passes, support for tags, tuples, and anonymous components, links to in-depth descriptions of each identified issue, and squashed a […]https://miscreants.github.io/blog.trailofbits.com/2023/03/14/ai-security-safety-audit-assurance-heidy-khlaaf-odd/Tue, 14 Mar 2023 08:00:47 -0400https://miscreants.github.io/blog.trailofbits.com/2023/03/14/ai-security-safety-audit-assurance-heidy-khlaaf-odd/Trail of Bits has launched a practice focused on machine learning and artificial intelligence, bringing together safety and security methodologies to create a new risk assessment and assurance program. This program evaluates potential bespoke risks and determines the necessary safety and security measures for AI-based systems.https://miscreants.github.io/blog.trailofbits.com/2023/02/27/reusable-properties-ethereum-contracts-echidna/Mon, 27 Feb 2023 08:00:54 -0500https://miscreants.github.io/blog.trailofbits.com/2023/02/27/reusable-properties-ethereum-contracts-echidna/As smart contract security constantly evolves, property-based fuzzing has become a go-to technique for developers and security engineers. This technique relies on the creation of code properties – often called invariants – which describe what the code is supposed to do. To help the community define properties, we are releasing a set of 168 pre-built […]https://miscreants.github.io/blog.trailofbits.com/2023/02/23/escaping-well-configured-vscode-extensions-for-profit/Thu, 23 Feb 2023 08:00:42 -0500https://miscreants.github.io/blog.trailofbits.com/2023/02/23/escaping-well-configured-vscode-extensions-for-profit/In part one of this two-part series, we escaped Webviews in real-world misconfigured VSCode extensions. But can we still escape extensions if they are well-configured? In this post, we’ll demonstrate how I bypassed a Webview’s localResourceRoots by exploiting small URL parsing differences between the browser—i.e., the Electron-created Chromium instance where VSCode and […]https://miscreants.github.io/blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/Tue, 21 Feb 2023 08:00:50 -0500https://miscreants.github.io/blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/TL;DR: This two-part blog series will cover how I found and disclosed three vulnerabilities in VSCode extensions and one vulnerability in VSCode itself (a security mitigation bypass assigned CVE-2022-41042 and awarded a $7,500 bounty). We will identify the underlying cause of each vulnerability and create fully working exploits to demonstrate how an […]https://miscreants.github.io/blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/Thu, 16 Feb 2023 08:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/I discovered a logic bug in the readline dependency that partially reveals file information when parsing the file specified in the INPUTRC environment variable. This could allow attackers to move laterally on a box where sshd is running, a given user is able to login, and the user’s private key […]https://miscreants.github.io/blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/Tue, 14 Feb 2023 08:00:14 -0500https://miscreants.github.io/blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually do, allowing us to take a nonstandard approach to the […]https://miscreants.github.io/blog.trailofbits.com/2023/01/19/ebpf-verifier-harness/Thu, 19 Jan 2023 08:00:42 -0500https://miscreants.github.io/blog.trailofbits.com/2023/01/19/ebpf-verifier-harness/During my internship at Trail of Bits, I prototyped a harness that improves the testability of the eBPF verifier, simplifying the testing of eBPF programs. My eBPF harness runs in user space, independently of any locally running kernel, and thus opens the door to testing of eBPF programs across different kernel versions. […]https://miscreants.github.io/blog.trailofbits.com/2023/01/17/rpc-investigator-microsoft-windows-remote-procedure-call/Tue, 17 Jan 2023 08:00:06 -0500https://miscreants.github.io/blog.trailofbits.com/2023/01/17/rpc-investigator-microsoft-windows-remote-procedure-call/A new tool for Windows RPC research. Trail of Bits is releasing a new tool for exploring RPC clients and servers on Windows. RPC Investigator is a .NET application that builds on the NtApiDotNet platform for enumerating, decompiling/parsing and communicating with arbitrary RPC servers. We’ve added visualization and additional features that offer […]https://miscreants.github.io/blog.trailofbits.com/2023/01/13/sigstore-python/Fri, 13 Jan 2023 10:00:58 -0500https://miscreants.github.io/blog.trailofbits.com/2023/01/13/sigstore-python/Read the official announcement on the Sigstore blog as well! Trail of Bits is thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year! This work has been graciously funded by Google’s Open Source Security Team (GOSST), who we’ve also […]https://miscreants.github.io/blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/Thu, 12 Jan 2023 08:00:17 -0500https://miscreants.github.io/blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). These vulnerabilities have been discovered automatically using the novel protocol fuzzer tlspuffin. This blog post […]https://miscreants.github.io/blog.trailofbits.com/2023/01/10/open-source-contributions-2022/Tue, 10 Jan 2023 08:00:32 -0500https://miscreants.github.io/blog.trailofbits.com/2023/01/10/open-source-contributions-2022/This time last year, we wrote about the more than 190 Trail of Bits-authored pull requests that were merged into non-Trail of Bits repositories in 2021. In 2022, we continued that trend by having more than 400 pull requests merged into non-Trail of Bits repositories! Why is this significant? While we take […]